[c-nsp] RELATED: Feedback on: Security Advice for Routers and Switches

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Sun May 6 17:36:26 EDT 2007


Hi,
> Alan,
> 
> Did you try to disable ICMP redirects? (no ip redirects on the VLAN
> interface)?

ip local-proxy-arp   seems to be the beast . can anyone disuade? with
this, coupled with DAI and a better L3 ACL on the VLAN  you should
be able to block any nefarious L3 attacks whilst reporting them etc.

oh. a word of warning to those implementing this...by default if
there are a dozen or so ARP spoofs in a short space of time, then
it'll trigger a port error - arpspoof - which can be auto reset with
an errdisable recovery - or you can avoid by setting no limit on the
arpspoof count. this could bite if the interface was a trunk feed
from a whole building/subnet/campus ;-)

alan


More information about the cisco-nsp mailing list